Admin Consoles, Default Creds, and Sweet Pwnage

When performing internal network penetration tests, one
thing that really gets us excited is finding administrative consoles. Tomcat and PHPMyAdmin are two of the most
common that I’ve found from my experience.
The reason we get excited is that many of these consoles have never had
the default credentials changed.
Why? Because they’re on the
internal network! No one would ever
attack these systems, right? Well, we
would, and do! For example, we were at a
large organization doing an internal penetration test and stumbled across a
number of servers running Apache Tomcat, indicated by our nmap scans.

8180/tcp open http Apache Tomcat/Coyote JSP engine 1.1

|_http-favicon: Apache Tomcat

|_http-methods: No Allow or Public header in OPTIONS response

|_http-title: Apache Tomcat/5.5

If you don’t already know, the default username and password
for the Tomcat Manager is typically tomcat:tomcat. I have found that CIRT.net is a good resource for
default credentials for a variety of product web admin consoles, though a
simple Google search will also help find other resources as well. For this example, Tomcat Manager is
configured to listen on port 8180. So,
we simply use our browser to connect to the server with the correct port
number, and are immediately prompted with a Basic Authentication login box.

Using the default credentials, we were able to
access the Tomcat Manager. Great! But now what?
Well, the next thing we wanted to do is see if we could upload our own web
application. As you can see from the example below, there are a number of apps already installed, what if we could install our
own? This is where we turned to Laudanum. If
you’re not yet familiar with it, I recommend reading James Jardine’s blog on
the Introduction of Laudanum.

The Tomcat Manager provides the ability to upload a Web
Application Archive (WAR) file and then deploy it onto the server. Laudanum has a cmd.war file,
which provides the ability to send commands to the operating system, and see
the results, from a web browser. James did a follow-up to his Introduction blog called Laudanum by Example: Shell, which demonstrates how to upload the cmd.war file and
use it. James also has a video for those who would rather watch than read! Unfortunately, the upload of the
cmd.war file was blocked on all the servers during our test. Not giving up, we turned to a really nice jsp File Browser tool by Tobi Vonloesch, which is available as a WAR file on sourceforge, or as a jsp file on Tobi’s web site.

We were able to upload the filebrowser.war file and deploy it as a web app without getting blocked, sweet! Once deployed, the filebrowser jsp app gave us access to the web server’s file system via the web browser by going to http://<server
ip>:<tomcat port>/filebrowser/filebrowser.jsp.

This web app basically allowed us to navigate the entire
file system, as if we were running a file manager directly on the server. It also allowed us to
upload cmd.jsp, which is the .jsp file that would’ve been installed if we had been able to upload and deploy the cmd.war file.
Most of the servers on this particular engagement were Windows 2003 and
2008 servers, so our next obvious step was to access the command line and see if
we could add a user. This was done by
creating a new tab on the browser and linking to http://<server ip>:<tomcat
port>/filebrowser/cmd.jsp. This
resulted in a form where we were able to submit commands to create a user
account, siuser, and add our new user account to the local administrators
group, using the following commands:

Once we had our account added to the server with local
administrator access, we were able to easily login to the server with Remote
Desktop Connector. This also led us to uploading and executing a Metasploit payload which provided a Meterpreter
session. With Meterpreter, you are able to dump the hashes, and then possibly do a pass
the hash attack against other Windows servers on the network. So, now you know why we get so excited when
we find administrative web consoles on servers, especially those using default
creds. It’s just a few steps away from
sweet pwnage!

Tony DeLaGrange is a Senior
Security Consultant with Secure Ideas. If you are in need of a
penetration test or other security consulting services you can contact him at
tony@secureideas.com or visit the Secure Ideas – Professionally Evil site for services provided.